hi all,
libnids 1.22 has two bugs preventing it to work correctly in 802.11x
networks. I and the libnids author have no time to write a patch.
After some silent months, I decided to public them so probably someone
will do the required fixes and will propose a working patch to the
author.
for libnids code and contacts: http://libnids.sourceforge.net/
a basic description of the bugs follows.
========== BUG1 ==========
in function nids_pcap_handler, you added in version 1.22 the support
for DLT_IEEE802_11_RADIO. but it breaks the support for
DLT_PRISM_HEADER:
when linktype == DLT_PRISM_HEADER, the following code is executed:
---begin---
case DLT_PRISM_HEADER:
nids_linkoffset = 144; //sizeof(prism2_hdr);
linkoffset_tweaked_by_prism_code = 1;DLT_IEEE802_11_RADIO
//now let DLT_IEEE802_11 do the rest
#endif
#ifdef DLT_IEEE802_11_RADIO
case DLT_IEEE802_11_RADIO:
// just get rid of the radio tap header
nids_linkoffset = 25; // sizeof(radio tap header)
linkoffset_tweaked_by_radio_code = 1;
//now let DLT_IEEE802_11 do the rest
#endif
#ifdef DLT_IEEE802_11
case DLT_IEEE802_11:
---end---
nids_linkoffset is set in DLT_PRISM_HEADER but always overwritten in
DLT_IEEE802_11_RADIO.
========== BUG2 ==========
in function nids_pcap_handler, in DLT_IEEE802_11, you compute
erroneously the header size of 802.11 packets with TYPE 0 (Data frame)
and SUBTYPE 8 (something for QOS). in this situation, you have 2 extra
bytes of header.
the following extra check should fix the problem:
if (IEEE80211_QOS_HAS_SEQ(wh))
len += sizeof(u_int16_t);
this macro comes from:
$FreeBSD: src/sys/net80211/ieee80211.h,v 1.9.2.2 2006/08/10 06:07:49 sam Exp $
i did the same for some code i'm writing, it's ok and works well.
==========================
bye!
--
Michele Dallachiesa 'xenion' http://xenion.antifork.org
Antifork Research, Inc.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
